hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10607) Create an API to Separate Credentials/Password Storage from Applications
Date Wed, 28 May 2014 22:07:02 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14011679#comment-14011679

Larry McCay commented on HADOOP-10607:

Okay let's summarize an approach here...

If we have a ConfigurationCredentialProvider that simply looks for the credential in configuration
* this can be the default provider which will allow for passwords in clear text and work out
of the box
* we can place a real credential provider in front of it in the provider path and allow for
password aliases to be resolved and then fall back to Configuration

If we add a new method to Configuration - getPassword(String name) then:
* we essentially extend the configuration file to include the credentials available through
the provider API
* we will leverage the CredentialProvider API to get the password whether it be in a store
or in the configuration file without the consuming code or even the Configuration code knowing
where it comes from

If we leverage the existing configuration property names as the aliases into the credential
store then:
* we can simply remove the password config elements from files when not in clear text or
* add a value of ALIASED or something that indicates that the value is elsewhere (in case
the property is mandatory for some elements)

Is this accurate?

> Create an API to Separate Credentials/Password Storage from Applications
> ------------------------------------------------------------------------
>                 Key: HADOOP-10607
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10607
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 3.0.0
>         Attachments: 10607-2.patch, 10607-3.patch, 10607-4.patch, 10607-5.patch, 10607.patch
> As with the filesystem API, we need to provide a generic mechanism to support multiple
credential storage mechanisms that are potentially from third parties. 
> We need the ability to eliminate the storage of passwords and secrets in clear text within
configuration files or within code.
> Toward that end, I propose an API that is configured using a list of URLs of CredentialProviders.
The implementation will look for implementations using the ServiceLoader interface and thus
support third party libraries.
> Two providers will be included in this patch. One using the credentials cache in MapReduce
jobs and the other using Java KeyStores from either HDFS or local file system. 
> A CredShell CLI will also be included in this patch which provides the ability to manage
the credentials within the stores.

This message was sent by Atlassian JIRA

View raw message